Authenticated tracking API requests

  1. We have setup Login SAML plugin provided by matomo to setup our oauth mechanism.
  2. We have used Azure AD for setting up the SSO with matomo
  3. This SSO setup works well while logging into the matomo dashboard and accessing it and the flow is smooth in that aspect.
  4. But when the matomo script that gets called when the event is triggered from our application is unauthenticated.
  5. The matomo.php script that gets triggered from the matomo analytics integrated web app of ours is getting triggered without the authentication.
  6. If I take the matomo.php trigger script URL from networks tab in developer tools, the same URL can be triggered by anyone from a browser URL without any hindrance.
  7. This introduces a vulnerability in the entire flow. As someone with access to the URL can spam our system with unlimited events just by hitting the script URL in a new browser tab.
  8. We want the matomo.php script to only save events that are being triggered with an auth_token from the LoginSAML plugin.
  9. Will this be possible with LoginSAML plugin. If yes, then what configuration changes do we need to make in our plugin?
1 Like

We are also facing the same issue? Can someone from Matomo Team please reply to this query…

LoginSAML plugin, is, as its name says, used to log in Matomo. Not designed for the tracking…
Most of the time no need to secure the tracking itself. But if you want to do so, you have to track within the tracked application (serverside), and make Matomo tracking endpoint accessible only from your application server. Then the tracked application will manage the authentication itself (track on ly authenticated users). I think this is too much work, just for tracking prevention…